Following the money is a classic technique used by law enforcement to link criminals to crimes by tracing associated financial exchanges, but that may not be easy in the case of the WannaCry attacks

The ransom paid in response to the WannaCry global ransomware attacks in May was considered key to discovering who was behind the attacks by identifying those who collected the money.

The ransom paid into bitcoin wallets has been under surveillance for two-and-a-half months. The funds have now been collected, which should theoretically lead to those behind WannaCry.

More than $140,000 worth of bitcoins has been drained from bitcoin wallets associated with the WannaCry attack that affected more than 200,000 computers in 150 countries.

According to a Twitter bot set up by Quartz journalist Keith Collins, all of the bitcoin wallets linked to the attack were emptied from around 4am UK time today (3 August 2017).

The ransomware demanded between $300 and $600 to restore data encrypted by the WannaCry malware, and the total collected suggests that around 300 victims paid up.

Although standard advice from the security industry and law enforcement is not to pay ransoms because it reinforces and perpetuates the business model, many firms pay out of desperation.

Money trail

Some security commentators have expressed surprise that the funds have been accessed because of the belief that it will provide a money trail to the cyber criminals responsible for the WannaCry attacks.

Some have speculated that instead of attempting to convert the bitcoin into traditional currencies, the cyber criminals will attempt to remain anonymous by using the bitcoin on the deep web, the BBC reported.

Cyber extortionists typically demand payment in bitcoin because they believe it cannot be traced, but in recent years law enforcement has begun using software designed to link bitcoin sources and recipients.

Bitcoin tracking firm Chainalysis is a supplier of technology that enables law enforcement organisations to find the services that cyber criminals are using to convert bitcoin to cash or other digital currencies.

However, Ilia Kolochenko, CEO of web security company High-Tech Bridge, said those behind the WannaCry attacks may have enough resources to avoid discovery.

According to Kolochenko, professional cyber criminals have well-established contacts with organised crime, financial institutions and even law enforcement agencies.

“It’s a not a big problem to find a virtually untraceable way for bitcoin laundering. A lot of amateur cyber criminals were traced by various mistakes when they were trying to ‘cash out’, but professionals have different ways to stay in the shadows,” he said.

According to Michael Gronager, CEO and co-founder of Chainalysis, the latest bitcoins to be moved are associated with the more high-profile second wave of WannaCry attacks.

“The funds from the first campaign and the second campaign have gone through digital asset trading firm ShapeShift and into monero, a more anonymous cryptocurrency,” he told Computer Weekly.

But according to Gronager, approximately $100,000 is still sitting in the wallet of the Wannacry Ransomware 2.

“The actors’ campaign showed a lack of sophistication at the time of transaction as they used static addresses for multiple different victims making it impossible for them to tell which victim had paid. Either they have spent these months learning more about cryptocurrencies or someone is helping them,” he said.

Gronager believes that moving value online - even if more anonymous methods are employed like monero - there is a good chance that over time they will be identified.

“I agree that it is in principle possible to stay anonymous, but over time, the chances for slipping are there, and could lead to an arrest. WannaCry has a whole world of cyber investigators watching,” he said.

However, Gronager said the bigger threat probably lies in moving the funds to jurisdictions that are not willing to collaborate with law enforcement or with a poor infrastructure for oversight. “We have seen $81m being stolen through the Swift network and laundered in Asia - and that didn't involve bitcoin,” he said.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.